We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

SEC finds confidentiality agreements violates whistleblower rules

The SEC announced its first enforcement action against a company for using improperly restrictive language in confidentiality agreements with the potential to stifle the whistleblowing process.

For those who follow this area, it was not a big surprise as the SEC has been known to be trolling for defendants to make a point. I wouldn’t be surprised if there are others in the SEC’s cross hairs now, and if not, there soon will be soon.

More specifically, defendant KBR, Inc. used confidentiality statements in conjunction with internal investigations. The statement provided as follows:

I understand that in order to protect the integrity of this review, I am prohibited from discussing any particulars regarding this interview and the subject matter discussed during the interview, without the prior authorization of the Law Department. I understand that the unauthorized disclosure of information may be grounds for disciplinary action up to and including termination of employment.

It’s important to note that the SEC was unaware of any instances in which:

a KBR employee was in fact prevented from communicating directly with SEC staff about potential securities law violations, or

KBR took action to enforce the form confidentiality agreement or otherwise prevent such communications.

According to the SEC, the language found in the form confidentiality statement impedes communications to the SEC by prohibiting employees from discussing the substance of their interview without clearance from KBR’s law department under penalty of disciplinary action. As a result, according to the SEC, this language “undermines the purpose” of Section 21F and Rule 21F-17(a), which is to “encourage[e] individuals to report to the Commission.”

Without admitting or denying the findings, KBR chose to settle the action by paying a civil monetary penalty of $130,000. In addition, among other things, KBR undertook to revise the form of confidentiality statement as follows:

Nothing in this Confidentiality Statement prohibits me from reporting possible violations of federal law or regulation to any governmental agency or entity, including but not limited to the Department of Justice, the Securities and Exchange Commission, the Congress, and any agency Inspector General, or making other disclosures that are protected under the whistleblower provisions of federal law or regulation. I do not need the prior authorization of the Law Department to make any such reports or disclosures and I am not required to notify the company that I have made such reports or disclosures.

Can KBR claim unfair surprise by this enforcement action? Absolutely. The adopting release (page 201) only provides “Thus, an attempt to enforce a confidentiality agreement against an individual to prevent his or her communications with Commission staff about a possible securities law violation could inhibit those communications . . “ The proposing release (page 85) is pretty much the same and adds “The proposed rule would not, however, address the effectiveness or enforceability of confidentiality agreements in situations other than communications with the Commission about potential securities law violations.” There is nothing here regarding the mere existence of a confidentiality agreement outside of trying to enforce it, and the rule is directed at communications with the SEC and not other law enforcement agencies.

Nonetheless, rather than encourage a tangle with the SEC, most will want to revise their confidentiality agreements, or adopt a policy, to make sure certain reporting will not violate law. The revised KBR statement may not necessarily be the model to follow. I note that, in the absence of other statutory restrictions, a carve out permitting reporting to the SEC only will satisfy the text of Rule 21F-17, and broader restrictions on reporting are not covered by the Rule. Nonetheless, employers should be aware that broad restrictions may violate public policy as noted in footnote 82 in the proposing release.

Compare jurisdictions: Data Security & Cybercrime

“The Lexology newsfeed is very relevant to my practice and I like that you can tailor the newsfeed to include specific practice areas. I enjoy seeing a variety of approaches and I will read multiple articles on the same topic for the purpose of getting the fullest understanding of a new law, a court case or other legal development.”